01
Critical
Marcus, a senior sysadmin with root access across 40 production servers, becomes disillusioned after being passed over for promotion. Over three weeks he quietly exfiltrates the customer database, drops backup schedules, and creates a hidden admin account for future re-entry — all using his legitimate credentials.
Behavioral Indicators
Bulk data exports at odd hours
Accessing systems outside role scope
Creating undocumented accounts
Disabling audit logging
Lateral movement across network
PAM Controls
Session Recording
Full keystroke and screen recording of all privileged sessions. Marcus's database exports, crontab changes, and hidden account creation are captured in tamper-proof logs, providing forensic evidence and enabling real-time alerts on anomalous commands.
Effectiveness
Approval Workflows
Require dual-approval (four-eyes principle) for destructive operations — dropping backup jobs, modifying audit settings, or creating new admin accounts. A second admin must approve, breaking the solo-actor threat model.
Effectiveness
Behavioral Anomaly Detection
Baseline normal admin behavior and alert when Marcus accesses databases he's never queried, runs queries outside business hours, or exports record volumes 10× his typical pattern. SIEM integration triggers automatic session suspension.
Effectiveness
Immediate Revocation
Single-click or automated revocation terminates all active sessions, rotates every password Marcus knew, and invalidates all SSH keys. The hidden backdoor account is surfaced by access reviews and disabled within minutes of detection.
Effectiveness
02
High
DevOps contractor Priya is hired for a 6-week sprint. IT gives her broad access "to keep things moving." She stores VPN credentials in a shared Notion doc, uses her personal laptop (unpatched), leaves sessions open on shared workstations, and her contract ends — but her account is never removed. Six months later, attackers use her stale credentials to pivot into production.
Behavioral Indicators
Access from personal/unmanaged device
Credentials stored in plaintext
Sessions left open after work hours
Access active post-contract end date
PAM Controls
Access Reviews
Automated contractor access expiration tied to contract end date in HR/ITSM. Weekly recertification prompts force managers to re-justify active accounts. Priya's account would auto-expire on day 42, closing the 6-month stale-access window completely.
Effectiveness
Credential Vaulting
All privileged credentials are managed by the PAM vault — never given directly to contractors. Priya checks out a time-limited credential that auto-rotates after each session. No credential exists for her to store in Notion because she never sees the actual password.
Effectiveness
Session Recording + Timeout
Idle session timeout (15 min) automatically terminates unattended privileged sessions on shared workstations. Full video recording provides accountability for contractor activity, and session proxy enforces device compliance checks before connection is established.
Effectiveness
JIT (Just-in-Time) Access
Contractors receive just-in-time access for specific tasks only — no standing permissions. Priya must request access to each environment per task, with automatic 4-hour expiry. Reduces persistent attack surface to near zero.
Effectiveness
03
Critical
After learning she's being laid off, database engineer Sofia begins downloading engineering schematics, customer lists, and source code repositories to a personal cloud drive. She also modifies automated test scripts to introduce subtle logic errors that will surface weeks after her departure — ensuring the project fails.
Behavioral Indicators
Sudden spike in data downloads
Accessing repositories outside scope
Uploading to personal cloud storage
Code commits with subtle errors
HR flags of PIP or termination notice
PAM Controls
HR-Triggered Monitoring
Integration between HR systems and PAM automatically elevates monitoring when an employee is flagged for PIP, termination, or resignation. Sofia's sessions trigger enhanced recording and alerting the moment HR updates her status — before she even knows the layoff decision is official.
Effectiveness
DLP + Session Controls
Data Loss Prevention rules block bulk file transfers to personal cloud services within privileged sessions. Session proxies inspect clipboard, file transfer, and USB activity. Sofia's attempt to sync 4GB to Google Drive triggers an immediate alert and session block.
Effectiveness
Pre-Termination Revocation
Coordinated offboarding workflow pre-stages access revocation before the exit conversation occurs. The moment Sofia is notified of her termination, all privileged access is simultaneously revoked — eliminating the 48–72 hour window where most disgruntled insiders act.
Effectiveness
Code Repository Access Reviews
Quarterly access reviews ensure Sofia only has write access to her assigned repos — not the entire codebase. Minimal standing permissions limit the blast radius of any sabotage attempt, and commit signing ties every change to her verified identity for forensic tracing.
Effectiveness
04
Medium
Finance analyst James needs to share a quarterly report with an auditor. He accidentally attaches the full ERP export — containing all employee salaries and SSNs — instead of the summary PDF. He also CC'd an external consultant instead of the internal audit team. The email is sent before he realizes his mistake.
Behavioral Indicators
Email to wrong recipient domain
Attachment contains sensitive PII keywords
Large file sent externally
First-time access to sensitive dataset
PAM Controls
Least-Privilege Access Reviews
James's role shouldn't grant access to HR salary data at all. Regular access reviews and role-based permissions ensure finance analysts only see data their job requires. Had least privilege been enforced, the ERP export with SSNs wouldn't have been accessible to him in the first place.
Effectiveness
Approval Workflows for Exports
Any bulk export of financial or HR data triggers a mandatory approval step. James must submit a business justification and receive manager sign-off before the export file is generated. This friction layer prevents accidental access to sensitive datasets and creates an audit trail.
Effectiveness
Session-Level DLP
PAM session policies scan file contents before allowing download or transfer. Files containing SSN patterns, credit card numbers, or PII keywords are flagged. James receives a warning dialog asking him to confirm the file's sensitivity classification — a moment of friction that often catches honest mistakes.
Effectiveness
05
High
IT lead Daniel manages 12 shared service accounts across the team. To "avoid the ticket process," he texts the service account passwords to team members via Slack, posts root credentials in a shared team channel, and uses a sticky note on his monitor for the production DB password. After a team member leaves, nobody changes the passwords.
Behavioral Indicators
Multiple concurrent logins from same account
Logins from multiple geographies simultaneously
Credentials transmitted via chat or email
No individual accountability in shared accounts
PAM Controls
Credential Vaulting
Privileged credentials are stored exclusively in the PAM vault — never distributed to individuals. Team members check out credentials for a session duration; they're automatically rotated afterward. Nobody can share what they never see. Slack channels with pasted passwords become impossible by design.
Effectiveness
Session Attribution
Even when multiple users share a service account, PAM proxies require individual authentication first — mapping the shared session to a specific human identity. Every action under "svc_db_prod" is attributed to Daniel, then James, then Aisha — creating individual accountability from shared credentials.
Effectiveness
Auto-Rotation on Access Change
When any team member leaves or changes roles, PAM auto-rotates all credentials they had access to — even shared service accounts. The stale-credentials window that attackers exploit is eliminated. Rotation happens in seconds and is logged for compliance evidence.
Effectiveness
06
Medium
Cloud engineer Rachel spins up 14 EC2 instances on the company AWS account to run a personal side project and a "productivity tool" for her team that bypasses the standard IT procurement process. The instances are in an unmonitored VPC, store production data copies, and remain running for 7 months — exposed to the internet with default security groups.
Behavioral Indicators
Unusual cloud resource provisioning
Resources in non-standard accounts/regions
Untagged or orphaned cloud assets
Data copied to unapproved storage
PAM Controls
Approval Workflows for Provisioning
Cloud provisioning operations above defined thresholds (e.g., >2 instances, specific instance types) require a change management approval. Rachel's 14-instance deployment would trigger an automatic ticket requiring architecture review and budget approval — surfacing the shadow project before it launches.
Effectiveness
Cloud Access Reviews
Monthly cloud entitlement reviews surface all resources created under Rachel's IAM role. Untagged instances, non-standard VPCs, and open security groups are flagged automatically. The 7-month blind spot becomes a 30-day maximum window before mandatory review surfaces the shadow infrastructure.
Effectiveness
Privileged Session Logging
All AWS console and API access through privileged roles is proxied and logged. Every aws ec2 run-instances call, VPC configuration, and security group change is recorded with full command context. Anomaly detection flags the unusual provisioning pattern in Rachel's first day of shadow-IT activity.
Effectiveness
07
High
After 11 years at the company, IT manager Kevin has accumulated admin rights across 23 systems — many from roles he held years ago. He retains access to payroll, HR records, the SCADA network, and three acquired companies' environments. He doesn't actively misuse them, but when his account is phished, attackers gain an extraordinary foothold into nearly every critical system.
Behavioral Indicators
Permissions spanning multiple departments
Access to systems from previous roles
Stale entitlements not used in 90+ days
Access from acquired entities never reviewed
PAM Controls
Periodic Access Reviews
Quarterly access certification campaigns require Kevin's manager to re-certify each entitlement individually. Any permission not used in 90 days is automatically flagged for removal. Kevin's 23-system access is reduced to the 4 systems his current role requires — dramatically shrinking the attack surface available to phishers.
Effectiveness
JIT Elevated Access
Standing admin rights are replaced with JIT elevation. Kevin has no persistent admin on payroll or SCADA; he requests access for specific maintenance windows, approved for 2-hour blocks. A phished session token only grants the access active at that exact moment — not access to all 23 systems simultaneously.
Effectiveness
Entitlement Intelligence
AI-driven entitlement analytics compare Kevin's access profile against peers in his role. Outliers — permissions 3× above the role baseline — are automatically surfaced to security for review. This detects privilege creep that survives manual reviews because reviewers don't know what's "normal."
Effectiveness
08
High
Senior developer Tom resigns and gives 2 weeks notice. During the notice period, nobody disables his access because "he's still needed to hand off." After his last day, a Friday evening, his Active Directory account isn't disabled until the following Tuesday — and his API tokens, AWS access keys, and VPN certificate are never revoked at all. His former colleague accidentally discovers this 8 months later.
Behavioral Indicators
Active logins after separation date
API key usage from personal IP ranges
Access after business hours post-resignation
Credential use from geolocation mismatch
PAM Controls
Automated Offboarding Revocation
PAM integrates with HR systems to trigger same-day, zero-delay revocation on an employee's last day. AD accounts, API tokens, SSH keys, VPN certificates, and service account memberships are all revoked in a single orchestrated workflow — not a manual checklist. Tom's Tuesday gap becomes T+0 hours.
Effectiveness
Token & Key Inventory Reviews
Continuous discovery scans identify all API keys, service tokens, and certificates tied to Tom's identity — including those created in CI/CD pipelines, Terraform state, and third-party SaaS integrations. The 8-month-undiscovered VPN cert is surfaced within the first scheduled review cycle.
Effectiveness
Notice-Period Session Recording
During the 2-week notice period, Tom's sessions are elevated to full recording with real-time review. This documents the legitimate handoff work while detecting any data staging. It also ensures the handoff creates no new credentials or access for Tom beyond his departure date.
Effectiveness
09
Critical
Finance VP Linda clicks a spear-phishing link that installs a remote access trojan on her laptop. Attackers now operate through her session silently for 11 days — accessing M&A documents, transferring $2.3M via BEC, and pivoting to the CFO's calendar to time further attacks. Linda is unaware her credentials are being used simultaneously from Eastern Europe.
Behavioral Indicators
Impossible travel — logins from 2 countries in 1 hour
Concurrent sessions from different IPs
Access at hours inconsistent with user's timezone
Unusual application access patterns
Lateral movement from finance to IT systems
PAM Controls
Behavioral Analytics (UEBA)
User and Entity Behavior Analytics establishes Linda's normal access patterns — specific applications, times, source IPs, and data volumes. The Eastern Europe login at 3 AM accessing M&A folders triggers an immediate risk score spike. The impossible-travel detection fires within minutes of the attacker's first session.
Effectiveness
Session Recording + Forensics
Full session recording of privileged activity captures exactly what the attacker did under Linda's identity — which files were opened, what was transferred, which systems were pivoted to. This evidence is critical for incident response, breach notification, and legal proceedings, and helps exonerate Linda from suspicion.
Effectiveness
Automated Session Termination
When UEBA risk score exceeds threshold, the PAM platform automatically terminates Linda's active sessions, forces MFA re-authentication, and alerts the SOC — all within seconds. The 11-day attacker dwell time collapses to potentially minutes from first anomalous action.
Effectiveness
Step-Up Auth for Sensitive Actions
High-risk actions — wiring transfers above $10K, accessing M&A data rooms, modifying financial records — require step-up authentication via a separate trusted channel. The attacker who has Linda's password still cannot complete the wire transfer without her physical MFA token, breaking the BEC kill chain.
Effectiveness
10
Critical
HVAC vendor ThermoCore has remote access to the building management system for maintenance. Their credentials — never rotated in 3 years — are stored in plaintext on a ThermoCore technician's laptop that is later stolen. Attackers use the HVAC system's network adjacency to pivot into the corporate network, replicating the Target-style breach vector. The vendor wasn't required to use MFA.
Behavioral Indicators
Vendor access outside maintenance windows
Connections from unknown vendor IPs
Network pivoting from vendor-managed systems
Credentials unchanged over 12+ months
PAM Controls
Vendor Credential Vaulting
ThermoCore never holds credentials directly. Vendor sessions are initiated through the PAM gateway using temporary, session-scoped credentials that auto-rotate every use. The stolen laptop contains no usable credentials — only a portal login that requires MFA to activate, eliminating the plaintext storage vulnerability.
Effectiveness
Time-Bounded Access Approvals
Vendor access requires a maintenance ticket approval tied to a specific time window (e.g., 9 AM–12 PM Saturday). Outside that window, the credentials are inactive regardless of who holds them. ThermoCore's after-hours access attempt from an attacker's IP immediately fails — and triggers an alert for the SOC.
Effectiveness
Full Session Recording
Every vendor remote session is fully recorded with screen capture and command logging. Network isolation ensures vendor sessions can only reach the BMS subnet — not adjacent corporate network segments. Pivoting attempts are blocked at the session proxy layer and recorded as evidence.
Effectiveness
Vendor Access Reviews
Annual (minimum) vendor access recertification requires the business owner to re-justify the vendor relationship and scope of access. 3-year-old credentials are caught at the first review cycle. Unused vendor accounts are automatically suspended after 90 days of inactivity, eliminating stale supply-chain footholds.
Effectiveness